CVE-2025-9090
Published: 17 August 2025
Summary
CVE-2025-9090 is a low-severity Injection (CWE-74) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability identified as CVE-2025-9090 affects the Tenda AC20 router running firmware 16.03.08.12. It resides in the websFormDefine function within the /goform/telnet file of the Telnet Service component. The issue stems from improper handling of input that permits command injection, as classified under CWE-74 and CWE-77.
The flaw can be exploited remotely by an authenticated user with low privileges. Successful manipulation allows an attacker to inject and execute arbitrary commands, resulting in limited impacts to confidentiality, integrity, and availability on the affected device. A proof-of-concept exploit has been publicly disclosed via GitHub and is available for use.
The EPSS score for this CVE rose from a low baseline to a peak of 0.0924 on 2025-12-18 before receding to the current value of 0.0368, indicating emerging exploitation interest after disclosure. The provided references consist of public vulnerability database entries and exploit details but contain no information on official patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25139
Vulnerability details
A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been…
more
disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the web-managed Telnet service enables remote exploitation of a public-facing application (T1190), exploitation of remote services (T1210), indirect command execution (T1202), and execution of CLI commands on the network device (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the websFormDefine function, blocking the command injection payload before execution.
Requires disabling or restricting non-essential functions such as the exposed Telnet service (/goform/telnet) that contains the vulnerable code path.
Limits the privileges available to the low-privilege account used in the exploit, reducing the scope of commands that can be injected.